The research team from UpGuard, a cybersecurity company, found data leaks from dozens of entities as a result of the default permissions on Microsoft Power Apps portals.
As outlined in a new report, the leaks comprised 38 million records total, across 47 affected organizations.
A Microsoft representative told Healthcare IT News that only a small subset of customers configured the portal as described in the report, and that the company worked closely with those customers to ensure they were using the privacy settings consistent with their needs.
The representative said its primary portal designer, Design Studio, uses strong privacy settings by default and that the organization is in the process of ensuring alternative designer tools default to similar strong settings.
“Our products provide customers flexibility and privacy features to design scalable solutions that meet a wide variety of needs. We take security and privacy seriously, and we encourage our customers to use best practices when configuring products in ways that best meet their privacy needs,” the spokesperson said.
A variety of organizations affected
The types of data included names, email addresses, personal information used for COVID-19 contact tracing, COVID-19 vaccination appointments, Social Security numbers for job applicants and employee IDs.
The UpGuard team explained in their report that as of June 2021, the default permission setting in Power Apps Portals, users can create websites in the Power Apps interface with application capabilities, such as forms for users to enter data, storage of structured data, and APIs to retrieve that data by other applications.
“Portals provide a public website for interacting with those apps,” said the report.
Power Apps also gives users the option to enable Open Data Protocols APIs for retrieving data from Power Apps lists: the Power Apps configuration used to expose records for display on portals.
“Lists pull data from tables, and limiting access to the list data that a user can see requires enabling Table Permissions,” read the report. “If those configurations are not set and the OData feed is enabled, anonymous users can access list data freely.”
As of June 2021, all lists had table permissions disabled by default.
“In cases like registration pages for COVID-19 vaccinations, there are data types that should be public, like the locations of vaccination sites and available appointment times, and sensitive data that should be private, like the personally identifying information of the people being vaccinated,” noted the team.
“The number of accounts exposing sensitive information, however, indicates that the risk of this feature – the likelihood and impact of its misconfiguration – has not been adequately appreciated,” the report continued.
After flagging the vulnerability for Microsoft, UpGuard notified dozens of organizations that their list data was publicly accessible – including the Indiana Department of Health, which said this past week that the company had “inappropriately accessed” the data from its COVID-19 contact-tracing survey.
UpGuard disputed this characterization in the report, saying that “UpGuard did not exceed our authorized access, and while the data should not have been public, the nature of the data could only be ascertained by downloading and analyzing it.”
Other notified entities included the Maryland Department of Health and Denton County, Texas, both of which had data exposed relating to the COVID-19 pandemic.
New York City Municipal Transportation Authority and NYC Schools, American Airlines, Ford and J.B. Hunt were also among the organizations to whom UpGuard reached out.
Microsoft has since enabled table permissions by default and provided tooling to help Power Apps users self-diagnose their portals.
“This research presents an example of a larger theme, which is how to manage third-party risks (and exposures) posed by platforms that don’t slot neatly into vulnerability disclosure programs as we know them today, but still present as security issues,” wrote the UpGuard team.
Kat Jercich is senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a HIMSS Media publication.